Do we generate checksums for the gnome-os ISO images for verification ?
This was already asked in https://discourse.gnome.org/t/check-iso-integrity-checar-integridade-de-iso-gnome-os/9659, but didn’t get a response.
I tried bookmarking this topic as reminder, but clicking ... resulted in clicking Remove button, which was exactly below ... button.
I’ll try to report an issue in Bug - Discourse Meta.
I’m not sure, but you can see everything that happens during the build pipeline here: .gitlab-ci.yml · master · GNOME / gnome-build-meta · GitLab
s3-image is the job that uploads the fresh images. they go to S3 so there might be some checksum happening on the AWS side already
I’ve been bitten by this too, its a pretty bad design flaw in Discourse !
Thanks for the pointers.
I don’t see any checksum being generated as part of s3-image job. I think we should do sha256sum on all 3 images (iso / ostree / sysupdate) and upload the checksum file to CDN, and add instructions so users can download the checksum file needed to verify the downloaded images.
There are sha256sum data for various CI generated images in https://os.gnome.org/download/sysupdate/SHA256SUMS, but not for the 3 images (iso / ostree / sysupdate).
There is some sha256sum in test-s3-image job, but I guess the output goes to the CI log for manual verification or probably as test input to openQA.
Reported in https://meta.discourse.org/t/remove-button-below-show-more-button-causes-accidental-removal-of-post-topic/320210.
Yes, the reason we run sha256sum in the test pipelines is so we can be sure exactly what artifact was tested.
Check in #gnome-os:gnome.org how you could implement this - it would require modifications to the site which serves artifacts I think (main.py · master · Infrastructure / openshift-images / gnome-os-website · GitLab) to make the checksum files available.
I was thinking more like running sha256sum on the 3 images in s3-image job as:
sha256sum latest/installer_x86_64.iso > gnome-os.SHA256SUMS
sha256sum latest/disk_ostree_x86_64.img.xz >> gnome-os.SHA256SUMS
sha256sum latest/disk_sysupdate_x86_64.img.xz >> gnome-os.SHA256SUMS
aws s3 cp --acl public-read image/gnome-os.SHA256SUMS \
s3://gnome-build-meta/nightly/gnome-os.SHA256SUMS
Wouldn’t that work ?
That would work to generate the SHA256SUMs file, but how do you download that SHA256SUMs file from S3 afterwards? We don’t allow direct public access to the S3 bucket.
Sure.
Created the following issues.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.